Error Handling Flashcards

1
Q

Testing for Error Codes

A

These codes reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.

Approach
	- Google hacking 
		○ Locate errors that disclose information
	- Send custom requests to web server
		○ Force specific errors types

Error Types

- Web Server Errors
- Application Server Errors
- Database Errors

Remediation
- Remove the server information from the error responses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Web Server Errors

A

Can provide useful information like:

  • OS
  • Apache version
  • PHP version
  • OpenSSL version

HTTP Error Codes

- 400
- 404
- 408
- 501
- 505
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

HTTP Status Code:

400 Bad Request

A

The request could not be understood by the server due to invalid syntax.

The client SHOULD NOT repeat the request without modifications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

HTTP Status Code:

404 Not Found

A

The server has not found anything matching the Request-URI.

No indication is given of whether the condition is temporary or permanent.

This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

In the browser, this means the URL is not recognized.

In an API, this can also mean that the endpoint is valid but the resource itself does not exist.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

HTTP Status Code:

408 Request Timeout

A

The client did not produce a request within the time that the server was prepared to wait.

It means that the server would like to shut down this unused connection.

The client MAY repeat the request without modifications at any later time.

Also, note that some servers merely shut down the connection without sending this message.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

HTTP Status Code:

501 Not Implemented

A

The server does not support the functionality required to fulfill the request.

The request method is not supported by the server and cannot be handled.

The only methods that servers are required to support (and therefore that must not return this code) are GET and HEAD.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

HTTP Status Code:

505 HTTP Version Not Supported

A

The HTTP version used in the request is not supported by the server.

The response SHOULD contain an entity describing why that version is not supported and what other protocols are supported by that server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Application Server Errors

A

Errors returned by the application itself.

Can provide server paths, installed libraries, and application versions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Database Errors

A

Errors returned by the Database System when there is a problem with the query or the connection.

Can provide Database server IPs, tables, columns, and login details.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Testing for Stack Traces

A

The stack trace is a list of the functions in the call stack at the point an exception is triggered.

The stack trace reveals sensitive information.

Attackers attempt to generate these stack traces by tampering with the input to the web application with malformed HTTP requests and other input data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly